/**
* Decrypts the encrypted settings and returns the plaintext INI string
*
* @param $encrypted string The encrypted data
*
* @return string The decrypted data
*/
public static function decryptSettings($encrypted, $key = null)
{
if (substr($encrypted, 0, 12) == '###AES128###') {
$mode = 'AES128';
} elseif (substr($encrypted, 0, 12) == '###CTR128###') {
$mode = 'CTR128';
} else {
return $encrypted;
}
if (empty($key)) {
$key = self::getKey();
}
$encrypted = substr($encrypted, 12);
switch ($mode) {
case 'AES128':
$encrypted = base64_decode($encrypted);
$decrypted = AEUtilEncrypt::AESDecryptCBC($encrypted, $key, 128);
break;
case 'CTR128':
$decrypted = AEUtilEncrypt::AESDecryptCtr($encrypted, $key, 128);
break;
}
return $decrypted;
}
public function execute($json)
{
// Check if we're activated
$enabled = AEPlatform::getInstance()->get_platform_configuration_option('frontend_enable', 0);
if (!$enabled) {
$this->data = 'Access denied';
$this->status = self::STATUS_NOT_AVAILABLE;
$this->encapsulation = self::ENCAPSULATION_RAW;
return $this->getResponse();
}
// Try to JSON-decode the request's input first
$request = @$this->json_decode($json, false);
if (is_null($request)) {
// Could not decode JSON
$this->data = 'JSON decoding error';
$this->status = self::STATUS_ERROR;
$this->encapsulation = self::ENCAPSULATION_RAW;
return $this->getResponse();
}
// Decode the request body
// Request format: {encapsulation, body{ [key], [challenge], method, [data] }} or {[challenge], method, [data]}
if (isset($request->encapsulation) && isset($request->body)) {
if (!class_exists('AEUtilEncrypt') && !($request->encapsulation == self::ENCAPSULATION_RAW)) {
// Encrypted request found, but there is no encryption class available!
$this->data = 'This server does not support encrypted requests';
$this->status = self::STATUS_NOT_AVAILABLE;
$this->encapsulation = self::ENCAPSULATION_RAW;
return $this->getResponse();
}
// Fully specified request
switch ($request->encapsulation) {
case self::ENCAPSULATION_AESCBC128:
if (!isset($body)) {
$request->body = base64_decode($request->body);
$body = AEUtilEncrypt::AESDecryptCBC($request->body, $this->serverKey(), 128);
}
break;
case self::ENCAPSULATION_AESCBC256:
if (!isset($body)) {
$request->body = base64_decode($request->body);
$body = AEUtilEncrypt::AESDecryptCBC($request->body, $this->serverKey(), 256);
}
break;
case self::ENCAPSULATION_AESCTR128:
if (!isset($body)) {
$body = AEUtilEncrypt::AESDecryptCtr($request->body, $this->serverKey(), 128);
}
break;
case self::ENCAPSULATION_AESCTR256:
if (!isset($body)) {
$body = AEUtilEncrypt::AESDecryptCtr($request->body, $this->serverKey(), 256);
}
break;
case self::ENCAPSULATION_RAW:
$body = $request->body;
break;
}
if (!empty($request->body)) {
$body = rtrim($body, chr(0));
$request->body = $this->json_decode($body);
if (is_null($request->body)) {
// Decryption failed. The user is an imposter! Go away, hacker!
$this->data = 'Authentication failed';
$this->status = self::STATUS_NOT_AUTH;
$this->encapsulation = self::ENCAPSULATION_RAW;
return $this->getResponse();
}
}
} elseif (isset($request->body)) {
// Partially specified request, assume RAW encapsulation
$request->encapsulation = self::ENCAPSULATION_RAW;
$request->body = $this->json_decode($request->body);
} else {
// Legacy request
$legacyRequest = clone $request;
$request = (object) array('encapsulation' => self::ENCAPSULATION_RAW, 'body' => null);
$request->body = $this->json_decode($legacyRequest);
unset($legacyRequest);
}
// Authenticate the user. Do note that if an encrypted request was made, we can safely assume that
// the user is authenticated (he already knows the server key!)
if ($request->encapsulation == self::ENCAPSULATION_RAW) {
$authenticated = false;
if (isset($request->body->challenge)) {
list($challenge, $check) = explode(':', $request->body->challenge);
$crosscheck = strtolower(md5($challenge . $this->serverKey()));
$authenticated = $crosscheck == $check;
}
if (!$authenticated) {
// If the challenge was missing or it was wrong, don't let him go any further
$this->data = 'Invalid login credentials';
$this->status = self::STATUS_NOT_AUTH;
$this->encapsulation = self::ENCAPSULATION_RAW;
return $this->getResponse();
}
}
// Replicate the encapsulation preferences of the client for our own output
$this->encapsulation = $request->encapsulation;
// Store the client-specified key, or use the server key if none specified and the request
// came encrypted.
$this->password = isset($request->body->key) ? $request->body->key : null;
$hasKey = isset($request->body->key) || property_exists($request->body, 'key') ? !is_null($request->body->key) : false;
if (!$hasKey && $request->encapsulation != self::ENCAPSULATION_RAW) {
$this->password = $this->serverKey();
}
// Does the specified method exist?
$method_exists = false;
$method_name = '';
if (isset($request->body->method)) {
$method_name = ucfirst($request->body->method);
$this->method_name = $method_name;
$method_exists = method_exists($this, '_api' . $method_name);
}
if (!$method_exists) {
// The requested method doesn't exist. Oops!
$this->data = "Invalid method {$method_name}";
$this->status = self::STATUS_INVALID_METHOD;
$this->encapsulation = self::ENCAPSULATION_RAW;
return $this->getResponse();
}
// Run the method
$params = array();
if (isset($request->body->data)) {
$params = (array) $request->body->data;
}
$this->data = call_user_func(array($this, '_api' . $method_name), $params);
return $this->getResponse();
}
